Main Menu
Print PDF

Corporate Statements About GDPR Spark Securities Class Action Lawsuit

Cyber Law and Data Protection Alert | September 6, 2018
By: Joshua Mooney and Andrew Lipton

Since the European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, commentators and analysts have speculated about the regulation’s potential effect on securities class action suits based on directors’ and officers’ statements with respect to GDPR compliance. In a climate where securities class actions have increased in frequency each year, the question has become a critical one for boards of directors and their insurers (both D&O and cybersecurity), as each has tried to forecast whether GDPR would provide a new breeding ground for securities class actions. The case Bhattacharya v. Nielsen Holdings PLC, et al., Case No. 18-07677, filed on August 22, 2018 in the United States District Court for the Southern District of New York may begin to provide an answer.

In Bhattacharya, the plaintiff, a shareholder of the media ratings company Nielsen, alleges that the company and its directors and officers repeatedly misstated to the public that “because privacy was built into the way its [Nielsen’s] business processes, the enactment of the European General Data Protection Regulation (‘GDPR’) would not impact its business, nor limit necessary access to large data sets provided by its partners like Facebook.” According to the lawsuit, defendants also informed the public that “we have access to all the data that we need for our measurement products,” and “the [GDPR] has been more of a nonevent.” According to the lawsuit, that turned out to not be the case.

The lawsuit contends that Nielsen revealed the “truth” of GDPR’s effect on July 26, 2018, when the company revised its financials by, among other things, reducing its estimated free cash flow guidance by $250 million. According to the lawsuit, Nielsen repeatedly cited GDPR for the reason of the revised financials, stating:

  • “General Data Protection Regulation and changes in the consumer data privacy landscape impacted our growth rates in the near-term as clients and partners grapple with the changes and work to ensure compliance.”
  • “Marketing Effectiveness revenues increased 7.2%, or 6.0% on a constant currency basis, . . . partly offset by pressure on our clients and partners from the impact of the General Data Protection Regulation (GDPR) and other consumer data privacy considerations.”
  • “[Our] digital advertising ecosystem saw a disruption in the second quarter as large digital platforms made changes to their offerings to increase security for consumer data.”

Following Nielsen’s release of its revised financials, Nielsen’s stock price fell by more than 25 percent. According to the lawsuit, certain Nielsen directors and officers made materially false and misleading statements about GDPR’s effect, and “recklessly disregarded” the company’s actual (lack of) preparedness for the effect of the privacy regulation on the company’s current and future financial growth. The lawsuit also contends that the company undersold the importance of its dependence on third-party data set providers, like Facebook, and how privacy policy changes undertaken by such providers would affect Nielsen’s ability to maintain and/or increase its business performance. The lawsuit contends that these materially false and misleading statements violated multiple sections of the Securities Exchange Act of 1934.

While only in its preliminary stages, this case provides good early lessons for both company boards of directors and insurers. GDPR and other similar privacy laws being passed in the United States and worldwide can have a significant impact upon business growth. Statements issued by public companies and their board of directors concerning these privacy laws are and will be scrutinized by investors. Where companies publicly underestimate the impact of privacy regulation, whether in a SEC filing or elsewhere, an investigation and/or lawsuit certainly may follow. Bhattacharya may be a bellwether case to watch.

If you have questions or would like more information, please contact Josh Mooney (; 215.864.6345) or Andrew Lipton (; 212.631.1252).

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page